Discussion:
WinCE 5.0 Web server SSL certificate problem
(too old to reply)
Michael
2005-10-05 23:46:03 UTC
Permalink
OK, I've banged my head against the wall on this problem for 2 days now, so
its time to ask for help. I'm trying to enable SSL on the web server in CE
5.0.

I've set the IsEnabled and CertificateSubject registry settings under
Comm\HTTPD\SSL.

I created a .p12 certificate and private key using OpenSSL and imported into
the MY store using PFXImportCertStore. The certificate's CN matches the
device's hostname. The validity dates are OK. The certificate has the
server authentication extended key usage (1.3.6.1.5.5.7.3.1). The import
seems to go OK. I can see the cert listed in the MY store. But when the
httpd server starts, I get this message:

HTTPD: AcquireCredentialsHandle failed, no SSL will be performed. Error =
0x8009030d

I'm stumped! What could be causing this problem? Has anyone actually
gotten WinCE 5.0 with web/ssl working?

Thanks for any hints you might be able to give me...

Michael

p.s. Here is my cert as reported by OpenSSL:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Test, OU=intermediateCA, CN=Michael Wang,
intermediate/emailAddress=***@gmail.com
Validity
Not Before: Jul 1 12:00:00 2005 GMT
Not After : Jul 1 12:00:00 2025 GMT
Subject: C=US, ST=CA, O=Esocon, OU=Test,
CN=medmon-12345/emailAddress=***@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cf:b8:8d:b9:10:2f:91:cc:6e:e6:9d:93:d5:cf:
15:96:2e:81:bb:d9:d1:d7:ce:98:f6:41:27:b1:78:
b0:e7:6c:93:75:50:0a:a1:92:e8:45:7d:a8:96:84:
e4:4a:fc:d2:b9:76:02:32:99:7a:37:c5:d2:c4:6b:
e1:5e:1e:24:a9:31:03:ed:a5:d5:4a:05:d3:cb:5e:
d0:e0:77:17:10:43:69:43:eb:b2:06:bf:1c:ec:64:
0e:33:70:b7:c1:81:c7:2d:1b:7c:9f:67:01:88:2b:
f2:0c:70:76:3a:3e:1a:5b:3b:a3:fe:b4:1a:28:24:
2c:df:f7:f1:0d:1b:dc:4b:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: md5WithRSAEncryption
bd:3c:72:7b:4b:68:30:03:0c:8c:98:3b:23:f7:67:bf:6d:c5:
7c:fb:7d:18:8d:51:78:b8:ba:14:17:c1:b0:3c:62:e7:d3:bf:
d4:03:fb:ed:28:3f:4e:da:92:8b:9d:57:4c:00:49:2f:1d:2e:
91:84:25:f5:f2:00:fa:34:21:ca:81:6a:ca:13:ee:89:d2:3f:
83:12:2c:2c:49:e6:91:8b:5a:10:26:95:a4:d1:76:ac:b2:c1:
1a:50:fc:46:ff:5f:f0:56:b3:67:f3:76:ab:b9:fa:f4:46:10:
22:2e:72:8e:16:76:d3:af:eb:df:da:85:4a:f4:49:60:e2:2e:
f8:23
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQLEw5pbnRlcm1lZGlh
dGVDQTEjMCEGA1UEAxMaTWljaGFlbCBXYW5nLCBpbnRlcm1lZGlhdGUxIDAeBgkq
hkiG9w0BCQEWEW13YW5nMjVAZ21haWwuY29tMB4XDTA1MDcwMTEyMDAwMFoXDTI1
MDcwMTEyMDAwMFowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
EwZFc29jb24xDTALBgNVBAsTBFRlc3QxFTATBgNVBAMTDG1lZG1vbi0xMjM0NTEg
MB4GCSqGSIb3DQEJARYRbXdhbmcyNUBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM+4jbkQL5HMbuadk9XPFZYugbvZ0dfOmPZBJ7F4sOdsk3VQ
CqGS6EV9qJaE5Er80rl2AjKZejfF0sRr4V4eJKkxA+2l1UoF08te0OB3FxBDaUPr
sga/HOxkDjNwt8GBxy0bfJ9nAYgr8gxwdjo+Gls7o/60GigkLN/38Q0b3EtRAgMB
AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAL08
cntLaDADDIyYOyP3Z79txXz7fRiNUXi4uhQXwbA8YufTv9QD++0oP07akoudV0wA
SS8dLpGEJfXyAPo0IcqBasoT7onSP4MSLCxJ5pGLWhAmlaTRdqyywRpQ/Eb/X/BW
s2fzdqu5+vRGECIuco4WdtOv69/ahUr0SWDiLvgj
-----END CERTIFICATE-----
John Spaith [MS]
2005-10-07 23:33:49 UTC
Permalink
I know other people have got SSL working on CE web servers. It is harder
than it should be and for that we apologize.

Err 0x8009030d = SEC_E_UNKNOWN_CREDENTIALS. I spoke with the security PM
about this since this sounds more related to certs than web server itself.
He says:

<
Ask him what value he set for the CertitficateSubject registry key.
Maybe also check the time on the device and make sure the cert times are
valid relative to that.
If this doesn't help, there may be some sort of debug zones on
CAPI/SCHANNEL/etc... that may help us get to the bottom of this, assuming
you can get a debug build of the OS going.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation

Check out the new CE Networking Team Blog at http://blogs.msdn.com/cenet/.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
OK, I've banged my head against the wall on this problem for 2 days now, so
its time to ask for help. I'm trying to enable SSL on the web server in CE
5.0.
I've set the IsEnabled and CertificateSubject registry settings under
Comm\HTTPD\SSL.
I created a .p12 certificate and private key using OpenSSL and imported into
the MY store using PFXImportCertStore. The certificate's CN matches the
device's hostname. The validity dates are OK. The certificate has the
server authentication extended key usage (1.3.6.1.5.5.7.3.1). The import
seems to go OK. I can see the cert listed in the MY store. But when the
HTTPD: AcquireCredentialsHandle failed, no SSL will be performed. Error =
0x8009030d
I'm stumped! What could be causing this problem? Has anyone actually
gotten WinCE 5.0 with web/ssl working?
Thanks for any hints you might be able to give me...
Michael
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Test, OU=intermediateCA, CN=Michael Wang,
Validity
Not Before: Jul 1 12:00:00 2005 GMT
Not After : Jul 1 12:00:00 2025 GMT
Subject: C=US, ST=CA, O=Esocon, OU=Test,
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
2c:df:f7:f1:0d:1b:dc:4b:51
Exponent: 65537 (0x10001)
TLS Web Server Authentication
Signature Algorithm: md5WithRSAEncryption
f8:23
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQLEw5pbnRlcm1lZGlh
dGVDQTEjMCEGA1UEAxMaTWljaGFlbCBXYW5nLCBpbnRlcm1lZGlhdGUxIDAeBgkq
hkiG9w0BCQEWEW13YW5nMjVAZ21haWwuY29tMB4XDTA1MDcwMTEyMDAwMFoXDTI1
MDcwMTEyMDAwMFowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
EwZFc29jb24xDTALBgNVBAsTBFRlc3QxFTATBgNVBAMTDG1lZG1vbi0xMjM0NTEg
MB4GCSqGSIb3DQEJARYRbXdhbmcyNUBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM+4jbkQL5HMbuadk9XPFZYugbvZ0dfOmPZBJ7F4sOdsk3VQ
CqGS6EV9qJaE5Er80rl2AjKZejfF0sRr4V4eJKkxA+2l1UoF08te0OB3FxBDaUPr
sga/HOxkDjNwt8GBxy0bfJ9nAYgr8gxwdjo+Gls7o/60GigkLN/38Q0b3EtRAgMB
AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAL08
cntLaDADDIyYOyP3Z79txXz7fRiNUXi4uhQXwbA8YufTv9QD++0oP07akoudV0wA
SS8dLpGEJfXyAPo0IcqBasoT7onSP4MSLCxJ5pGLWhAmlaTRdqyywRpQ/Eb/X/BW
s2fzdqu5+vRGECIuco4WdtOv69/ahUr0SWDiLvgj
-----END CERTIFICATE-----
Michael
2005-10-10 18:17:06 UTC
Permalink
Hi John,

I was hoping you would see this. I read your posting on this subject back
in June 04.

Yes, my CertificateSubject registry matches my certificate, otherwise, I
would have gotten a different error.

Yes, my certificate validity dates straddle the current date on the device.

I am running a debug build, but I suspect that I do not have the debug
versions of the schannel, rsaenh, and secur32 dll's because when I go to
target>debug zones and I click on these dll's, I don't see any debug zones
listed. Whereas when I click on httpd, I get lots of debug zones that I can
turn on. But the httpd debug zones don't help the true source of the error
is not in the httpd code.

John, can you do me a really big favor? I know that the error occurs when
httpd calls m_SecurityInterface.AcquireCredentialsHandle. This is a function
pointer that points to a function inside secur32.dll. I don't have the
source code to secur32, but you probably do. Can you take a look inside
private\winceos\comm\security\secur32\lib and see under what conditions a
SEC_E_UNKNOWN_CREDENTIALS is returned? I'm suspecting that it is not a
certificate problem but something else, perhaps a configuration or build
issue... When I try to single step into that function, PlatformBuilder asks
for the file private\winceos\comm\security\secur32\lib\stubs.c (I'm not
whether asking for a file named "stubs.c" should cause concern.....)

I really appreciate any help you can give me!

Michael
Post by John Spaith [MS]
I know other people have got SSL working on CE web servers. It is harder
than it should be and for that we apologize.
Err 0x8009030d = SEC_E_UNKNOWN_CREDENTIALS. I spoke with the security PM
about this since this sounds more related to certs than web server itself.
<
Ask him what value he set for the CertitficateSubject registry key.
Maybe also check the time on the device and make sure the cert times are
valid relative to that.
If this doesn't help, there may be some sort of debug zones on
CAPI/SCHANNEL/etc... that may help us get to the bottom of this, assuming
you can get a debug build of the OS going.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation
Check out the new CE Networking Team Blog at http://blogs.msdn.com/cenet/.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
OK, I've banged my head against the wall on this problem for 2 days now, so
its time to ask for help. I'm trying to enable SSL on the web server in CE
5.0.
I've set the IsEnabled and CertificateSubject registry settings under
Comm\HTTPD\SSL.
I created a .p12 certificate and private key using OpenSSL and imported into
the MY store using PFXImportCertStore. The certificate's CN matches the
device's hostname. The validity dates are OK. The certificate has the
server authentication extended key usage (1.3.6.1.5.5.7.3.1). The import
seems to go OK. I can see the cert listed in the MY store. But when the
HTTPD: AcquireCredentialsHandle failed, no SSL will be performed. Error =
0x8009030d
I'm stumped! What could be causing this problem? Has anyone actually
gotten WinCE 5.0 with web/ssl working?
Thanks for any hints you might be able to give me...
Michael
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Test, OU=intermediateCA, CN=Michael Wang,
Validity
Not Before: Jul 1 12:00:00 2005 GMT
Not After : Jul 1 12:00:00 2025 GMT
Subject: C=US, ST=CA, O=Esocon, OU=Test,
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
2c:df:f7:f1:0d:1b:dc:4b:51
Exponent: 65537 (0x10001)
TLS Web Server Authentication
Signature Algorithm: md5WithRSAEncryption
f8:23
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQLEw5pbnRlcm1lZGlh
dGVDQTEjMCEGA1UEAxMaTWljaGFlbCBXYW5nLCBpbnRlcm1lZGlhdGUxIDAeBgkq
hkiG9w0BCQEWEW13YW5nMjVAZ21haWwuY29tMB4XDTA1MDcwMTEyMDAwMFoXDTI1
MDcwMTEyMDAwMFowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
EwZFc29jb24xDTALBgNVBAsTBFRlc3QxFTATBgNVBAMTDG1lZG1vbi0xMjM0NTEg
MB4GCSqGSIb3DQEJARYRbXdhbmcyNUBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM+4jbkQL5HMbuadk9XPFZYugbvZ0dfOmPZBJ7F4sOdsk3VQ
CqGS6EV9qJaE5Er80rl2AjKZejfF0sRr4V4eJKkxA+2l1UoF08te0OB3FxBDaUPr
sga/HOxkDjNwt8GBxy0bfJ9nAYgr8gxwdjo+Gls7o/60GigkLN/38Q0b3EtRAgMB
AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAL08
cntLaDADDIyYOyP3Z79txXz7fRiNUXi4uhQXwbA8YufTv9QD++0oP07akoudV0wA
SS8dLpGEJfXyAPo0IcqBasoT7onSP4MSLCxJ5pGLWhAmlaTRdqyywRpQ/Eb/X/BW
s2fzdqu5+vRGECIuco4WdtOv69/ahUr0SWDiLvgj
-----END CERTIFICATE-----
John Spaith [MS]
2005-10-10 19:13:51 UTC
Permalink
I'm not the security guru, but I don't think the stubs.c is of concern. As
you know this could be a red-flag that this was stubbed out on CE, but in
this case I think it's just the stub layer for the different security
providers.

You almost certainly have debug builds of the different security components,
but it looks like they were never modified such that they followed the CE
Debug zone conventions. However... it looks like schannel should have these
debugzones. I'm following up with our security gurus to see what's up with
this.

In stubs.c, you get SEC_E_UNKNOWN_CREDENTIALS returned the internal error
code PCT_ERR_UNKNOWN_CREDENTIAL or PCT_INT_UNKNOWN_CREDENTIAL is generated.
PCT_ERR_UNKNOWN_CREDENTIAL can never be generated.
PCT_INT_UNKNOWN_CREDENTIAL can be in a ton of different spots, all of them
seem to be related to retrieving the private key from the certificate.
Unfortunately the error can returned if generated from one of a ton of
different conditions; like say in GetPrivateKeyFromCert() it can be from
CryptGetUserKey(), CryptExportKey(), or even on a memory allocation failure
:(.

Not sure if this helps. I'm asking security folks to look at this too.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation

Check out the new CE Networking Team Blog at http://blogs.msdn.com/cenet/.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
Hi John,
I was hoping you would see this. I read your posting on this subject back
in June 04.
Yes, my CertificateSubject registry matches my certificate, otherwise, I
would have gotten a different error.
Yes, my certificate validity dates straddle the current date on the device.
I am running a debug build, but I suspect that I do not have the debug
versions of the schannel, rsaenh, and secur32 dll's because when I go to
target>debug zones and I click on these dll's, I don't see any debug zones
listed. Whereas when I click on httpd, I get lots of debug zones that I can
turn on. But the httpd debug zones don't help the true source of the error
is not in the httpd code.
John, can you do me a really big favor? I know that the error occurs when
httpd calls m_SecurityInterface.AcquireCredentialsHandle. This is a function
pointer that points to a function inside secur32.dll. I don't have the
source code to secur32, but you probably do. Can you take a look inside
private\winceos\comm\security\secur32\lib and see under what conditions a
SEC_E_UNKNOWN_CREDENTIALS is returned? I'm suspecting that it is not a
certificate problem but something else, perhaps a configuration or build
issue... When I try to single step into that function, PlatformBuilder asks
for the file private\winceos\comm\security\secur32\lib\stubs.c (I'm not
whether asking for a file named "stubs.c" should cause concern.....)
I really appreciate any help you can give me!
Michael
Post by John Spaith [MS]
I know other people have got SSL working on CE web servers. It is harder
than it should be and for that we apologize.
Err 0x8009030d = SEC_E_UNKNOWN_CREDENTIALS. I spoke with the security PM
about this since this sounds more related to certs than web server itself.
<
Ask him what value he set for the CertitficateSubject registry key.
Maybe also check the time on the device and make sure the cert times are
valid relative to that.
If this doesn't help, there may be some sort of debug zones on
CAPI/SCHANNEL/etc... that may help us get to the bottom of this, assuming
you can get a debug build of the OS going.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation
Check out the new CE Networking Team Blog at
http://blogs.msdn.com/cenet/.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
OK, I've banged my head against the wall on this problem for 2 days
now,
so
its time to ask for help. I'm trying to enable SSL on the web server
in
CE
5.0.
I've set the IsEnabled and CertificateSubject registry settings under
Comm\HTTPD\SSL.
I created a .p12 certificate and private key using OpenSSL and imported into
the MY store using PFXImportCertStore. The certificate's CN matches the
device's hostname. The validity dates are OK. The certificate has the
server authentication extended key usage (1.3.6.1.5.5.7.3.1). The import
seems to go OK. I can see the cert listed in the MY store. But when the
HTTPD: AcquireCredentialsHandle failed, no SSL will be performed.
Error =
0x8009030d
I'm stumped! What could be causing this problem? Has anyone actually
gotten WinCE 5.0 with web/ssl working?
Thanks for any hints you might be able to give me...
Michael
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Test, OU=intermediateCA, CN=Michael Wang,
Validity
Not Before: Jul 1 12:00:00 2005 GMT
Not After : Jul 1 12:00:00 2025 GMT
Subject: C=US, ST=CA, O=Esocon, OU=Test,
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
2c:df:f7:f1:0d:1b:dc:4b:51
Exponent: 65537 (0x10001)
TLS Web Server Authentication
Signature Algorithm: md5WithRSAEncryption
f8:23
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQLEw5pbnRlcm1lZGlh
dGVDQTEjMCEGA1UEAxMaTWljaGFlbCBXYW5nLCBpbnRlcm1lZGlhdGUxIDAeBgkq
hkiG9w0BCQEWEW13YW5nMjVAZ21haWwuY29tMB4XDTA1MDcwMTEyMDAwMFoXDTI1
MDcwMTEyMDAwMFowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
EwZFc29jb24xDTALBgNVBAsTBFRlc3QxFTATBgNVBAMTDG1lZG1vbi0xMjM0NTEg
MB4GCSqGSIb3DQEJARYRbXdhbmcyNUBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM+4jbkQL5HMbuadk9XPFZYugbvZ0dfOmPZBJ7F4sOdsk3VQ
CqGS6EV9qJaE5Er80rl2AjKZejfF0sRr4V4eJKkxA+2l1UoF08te0OB3FxBDaUPr
sga/HOxkDjNwt8GBxy0bfJ9nAYgr8gxwdjo+Gls7o/60GigkLN/38Q0b3EtRAgMB
AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAL08
cntLaDADDIyYOyP3Z79txXz7fRiNUXi4uhQXwbA8YufTv9QD++0oP07akoudV0wA
SS8dLpGEJfXyAPo0IcqBasoT7onSP4MSLCxJ5pGLWhAmlaTRdqyywRpQ/Eb/X/BW
s2fzdqu5+vRGECIuco4WdtOv69/ahUr0SWDiLvgj
-----END CERTIFICATE-----
Ganapathy Raman (MS)
2005-10-11 00:14:18 UTC
Permalink
Michael

If you have debug version of httpd it is highly likely you have debug
versions of schannel.dll
In the CE console, try 'gi proc' followed by 'zo m schannel.dll 0xffff' to
turn on all debug zones for schannel.

Can you send the CertificateSubject value you are using?
Also how did you verify the successful import of the .p12(pfx) file.
Especially proper import of the private key and not just the certificate.
Did you use the 'certificates' control panel applet and check for the
'private key present' attribute?

--
Ganapathy Raman
Program Manager, Windows CE Security
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by John Spaith [MS]
I'm not the security guru, but I don't think the stubs.c is of concern.
As you know this could be a red-flag that this was stubbed out on CE, but
in this case I think it's just the stub layer for the different security
providers.
You almost certainly have debug builds of the different security
components, but it looks like they were never modified such that they
followed the CE Debug zone conventions. However... it looks like schannel
should have these debugzones. I'm following up with our security gurus to
see what's up with this.
In stubs.c, you get SEC_E_UNKNOWN_CREDENTIALS returned the internal error
code PCT_ERR_UNKNOWN_CREDENTIAL or PCT_INT_UNKNOWN_CREDENTIAL is
generated. PCT_ERR_UNKNOWN_CREDENTIAL can never be generated.
PCT_INT_UNKNOWN_CREDENTIAL can be in a ton of different spots, all of them
seem to be related to retrieving the private key from the certificate.
Unfortunately the error can returned if generated from one of a ton of
different conditions; like say in GetPrivateKeyFromCert() it can be from
CryptGetUserKey(), CryptExportKey(), or even on a memory allocation
failure :(.
Not sure if this helps. I'm asking security folks to look at this too.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation
Check out the new CE Networking Team Blog at http://blogs.msdn.com/cenet/.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
Hi John,
I was hoping you would see this. I read your posting on this subject back
in June 04.
Yes, my CertificateSubject registry matches my certificate, otherwise, I
would have gotten a different error.
Yes, my certificate validity dates straddle the current date on the device.
I am running a debug build, but I suspect that I do not have the debug
versions of the schannel, rsaenh, and secur32 dll's because when I go to
target>debug zones and I click on these dll's, I don't see any debug zones
listed. Whereas when I click on httpd, I get lots of debug zones that I can
turn on. But the httpd debug zones don't help the true source of the error
is not in the httpd code.
John, can you do me a really big favor? I know that the error occurs when
httpd calls m_SecurityInterface.AcquireCredentialsHandle. This is a function
pointer that points to a function inside secur32.dll. I don't have the
source code to secur32, but you probably do. Can you take a look inside
private\winceos\comm\security\secur32\lib and see under what conditions a
SEC_E_UNKNOWN_CREDENTIALS is returned? I'm suspecting that it is not a
certificate problem but something else, perhaps a configuration or build
issue... When I try to single step into that function, PlatformBuilder asks
for the file private\winceos\comm\security\secur32\lib\stubs.c (I'm not
whether asking for a file named "stubs.c" should cause concern.....)
I really appreciate any help you can give me!
Michael
Post by John Spaith [MS]
I know other people have got SSL working on CE web servers. It is harder
than it should be and for that we apologize.
Err 0x8009030d = SEC_E_UNKNOWN_CREDENTIALS. I spoke with the security PM
about this since this sounds more related to certs than web server itself.
<
Ask him what value he set for the CertitficateSubject registry key.
Maybe also check the time on the device and make sure the cert times are
valid relative to that.
If this doesn't help, there may be some sort of debug zones on
CAPI/SCHANNEL/etc... that may help us get to the bottom of this, assuming
you can get a debug build of the OS going.
--
John Spaith
Software Design Engineer, Windows CE
Microsoft Corporation
Check out the new CE Networking Team Blog at
http://blogs.msdn.com/cenet/.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2003 Microsoft Corporation. All rights
reserved.
Post by Michael
OK, I've banged my head against the wall on this problem for 2 days
now,
so
its time to ask for help. I'm trying to enable SSL on the web server
in
CE
5.0.
I've set the IsEnabled and CertificateSubject registry settings under
Comm\HTTPD\SSL.
I created a .p12 certificate and private key using OpenSSL and
imported
into
the MY store using PFXImportCertStore. The certificate's CN matches the
device's hostname. The validity dates are OK. The certificate has the
server authentication extended key usage (1.3.6.1.5.5.7.3.1). The import
seems to go OK. I can see the cert listed in the MY store. But when the
HTTPD: AcquireCredentialsHandle failed, no SSL will be performed.
Error =
0x8009030d
I'm stumped! What could be causing this problem? Has anyone actually
gotten WinCE 5.0 with web/ssl working?
Thanks for any hints you might be able to give me...
Michael
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Test, OU=intermediateCA, CN=Michael Wang,
Validity
Not Before: Jul 1 12:00:00 2005 GMT
Not After : Jul 1 12:00:00 2025 GMT
Subject: C=US, ST=CA, O=Esocon, OU=Test,
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
2c:df:f7:f1:0d:1b:dc:4b:51
Exponent: 65537 (0x10001)
TLS Web Server Authentication
Signature Algorithm: md5WithRSAEncryption
f8:23
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQLEw5pbnRlcm1lZGlh
dGVDQTEjMCEGA1UEAxMaTWljaGFlbCBXYW5nLCBpbnRlcm1lZGlhdGUxIDAeBgkq
hkiG9w0BCQEWEW13YW5nMjVAZ21haWwuY29tMB4XDTA1MDcwMTEyMDAwMFoXDTI1
MDcwMTEyMDAwMFowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
EwZFc29jb24xDTALBgNVBAsTBFRlc3QxFTATBgNVBAMTDG1lZG1vbi0xMjM0NTEg
MB4GCSqGSIb3DQEJARYRbXdhbmcyNUBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM+4jbkQL5HMbuadk9XPFZYugbvZ0dfOmPZBJ7F4sOdsk3VQ
CqGS6EV9qJaE5Er80rl2AjKZejfF0sRr4V4eJKkxA+2l1UoF08te0OB3FxBDaUPr
sga/HOxkDjNwt8GBxy0bfJ9nAYgr8gxwdjo+Gls7o/60GigkLN/38Q0b3EtRAgMB
AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAL08
cntLaDADDIyYOyP3Z79txXz7fRiNUXi4uhQXwbA8YufTv9QD++0oP07akoudV0wA
SS8dLpGEJfXyAPo0IcqBasoT7onSP4MSLCxJ5pGLWhAmlaTRdqyywRpQ/Eb/X/BW
s2fzdqu5+vRGECIuco4WdtOv69/ahUr0SWDiLvgj
-----END CERTIFICATE-----
Michael
2005-10-11 17:26:03 UTC
Permalink
Hi Ganapathy,

Thanks for looking into this.

Using control panel>Certificates GUI, I go to "MY" store, click on my
certiificate, then click on "Subject" in the left column, and it says on the
right column: "US, CA, Esocon, Test, medmon-12345, ***@gmail.com". If I
click on "Private Key", it says on the right column: "Present".

I set the schannel debug zone both in the registry and command line, and now
I'm able to see the zones (not sure why I couldn't before). Anyways, the
line with "couldn't export key" looks interesting:

SCHANNEL:BEGIN:SPInitSessionCache
4294882420 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Address space
reserved for 50 cache entries.
4294882422 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 139
4294882424 PID:61dd1026 TID:41cc9206 0x81cc9b24:
SCHANNEL:BEGIN:SPCreateCredential
4294882424 PID:61dd1026 TID:41cc9206 0x81cc9b24:
SCHANNEL:BEGIN:SPFormatCredentials
4294882425 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 682
4294882427 PID:61dd1026 TID:41cc9206 0x81cc9b24:
SCHANNEL:Container:9E3FD72A-BFA1-07C3-7DEA-AB4B71CFFD70
4294882428 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Provider:
Microsoft Base Cryptographic Provider v1.0
4294882429 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:KeySpec:0x00000001
4294882430 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Type: 0x00000001
4294882431 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Flags: 0x00000000
4294882511 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Couldn't Export
Key 8009000b
4294882512 PID:61dd1026 TID:41cc9206 0x81cc9b24:
SCHANNEL:BEGIN:SPDeleteCredential
4294882513 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 463
4294882514 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 384
4294882515 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 131
4294882516 PID:61dd1026 TID:41cc9206 0x81cc9b24: HTTPD:
AcquireCredentialsHandle failed, no SSL will be performed. Error = 0x8009030d

Here is the function that I wrote to import the .p12 cert+key to MY store.
Maybe I'm not setting something correctly? I can also send you my .p12 key
if you want.

/**
* Import the given PKCS12 buffer containing the device certificate and
* private key into the "MY" store. As a side effect, also return the
* SHA1 hash of the certificate.
* Return TRUE on success, FALSE on failure.
*/
BOOL
PhysCertManager::addP12CertToMyStore(BYTE *p12Buf, DWORD p12BufLength, const
WCHAR *passwordW, BYTE *sha1HashBuf)
{
HCERTSTORE hCertStore1, hCertStore2;
CRYPT_DATA_BLOB certBlob;
PCCERT_CONTEXT pCertContext=NULL;
BOOL rval=TRUE;

certBlob.pbData = p12Buf;
certBlob.cbData = p12BufLength;

if (PFXVerifyPassword(&certBlob, passwordW, 0)) {
printf("PhysCertManager: p12 password is good!\n");
}
else {
printf("PhysCertManager: password is bad!! Import will defaintely
fail!\n");
return FALSE;
}

// Is this just a temporary store?
hCertStore1 = PFXImportCertStore(&certBlob, passwordW, CRYPT_USER_KEYSET);
if (hCertStore1 == NULL) {
wprintf(_T("PhysCertManager: PFXImportCertStore failed,
lasterror=%d\n"), passwordW);
return FALSE;
}

printf("PhysCertManager: User cert with key imported to tmp store!\n");



// Get the certificate context
pCertContext = CertEnumCertificatesInStore(hCertStore1, pCertContext);
if (pCertContext == NULL) {
printf("PhysCertManager: Could not enum cert context, abort");
CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
return FALSE;
}


// Get the sha1 hash
DWORD sha1HashBufLength=SHA1_HASH_LENGTH;
if (!CertGetCertificateContextProperty(pCertContext, CERT_HASH_PROP_ID,
sha1HashBuf, &sha1HashBufLength)) {
printf("PhysCertManager: get sha1 hash failed, lasterror=%d\n",
GetLastError());
CertFreeCertificateContext(pCertContext);
CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
return FALSE;
}


CertDuplicateCertificateContext(pCertContext); // this just increments
reference count

// Now open "MY" system cert store
HCRYPTPROV hCryptProvider = NULL;
hCertStore2 = CertOpenSystemStore(hCryptProvider, _T("MY"));
if (hCertStore2 != NULL) {
if (CertAddCertificateContextToStore(hCertStore2, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING,
NULL) == TRUE) {
printf("PhysCertManager: device cert+key added to MY store");
}
else {
printf("PhysCertManager: ERROR: Could not add device cert+key to
MY store, lasterror=%d", GetLastError());
rval = FALSE;
}
if (!CertCloseStore(hCertStore2, CERT_CLOSE_STORE_CHECK_FLAG))
printf("PhysCertManager: ERROR: close of MY store failed,
lasterror=%d\n", GetLastError());
else
printf("PhysCertManager: MY store closed.\n");
}
else {
printf("PhysCertManager: ERROR: Could not open MY store,
lasterror=%d", GetLastError());
rval = FALSE;
}


// The close of the tmp store always return PENDING_CLOSE.
// I guess this is OK since the cert context still exists in MY store.
CertFreeCertificateContext(pCertContext);
if (!CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG)) {
DWORD lasterror = GetLastError();
if (lasterror == CRYPT_E_PENDING_CLOSE) {
printf("PhysCertManager: close of tmp store returned pending
close.");
}
else {
wprintf(_T("PhysCertManager: ERROR: close of tmp store failed,
lasterror=%d\n"), GetLastError());
rval = FALSE;
}
}
else {
wprintf(_T("PhysCertManager: tmp store closed.\n"));
}

return rval;
}


I think we are getting close!

Michael
Post by Michael
Michael
If you have debug version of httpd it is highly likely you have debug
versions of schannel.dll
In the CE console, try 'gi proc' followed by 'zo m schannel.dll 0xffff' to
turn on all debug zones for schannel.
Can you send the CertificateSubject value you are using?
Also how did you verify the successful import of the .p12(pfx) file.
Especially proper import of the private key and not just the certificate.
Did you use the 'certificates' control panel applet and check for the
'private key present' attribute?
--
Ganapathy Raman
Program Manager, Windows CE Security
This posting is provided "AS IS" with no warranties, and confers no rights.
Michael
2005-10-11 18:13:02 UTC
Permalink
Yes! It works now!

That "Couldn't export key" message triggered something in my memory, so I
went back and looked at my PFXImportCertStore call, and sure enough, there is
a flag CRYPT_EXPORTABLE which I did not set. Once I set this flag, https
starts up and I am able to access the web site!

Thank you very much John for sticking with me and following up with others
when our first few tries failed. And thanks Ganapathy for the hint with
schannel! John had mentioned it, but for some reason I couldn't get it to
spew anything out until your email.

Michael
Post by Michael
Hi Ganapathy,
Thanks for looking into this.
Using control panel>Certificates GUI, I go to "MY" store, click on my
certiificate, then click on "Subject" in the left column, and it says on the
click on "Private Key", it says on the right column: "Present".
I set the schannel debug zone both in the registry and command line, and now
I'm able to see the zones (not sure why I couldn't before). Anyways, the
SCHANNEL:BEGIN:SPInitSessionCache
4294882420 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Address space
reserved for 50 cache entries.
4294882422 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 139
SCHANNEL:BEGIN:SPCreateCredential
SCHANNEL:BEGIN:SPFormatCredentials
4294882425 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 682
SCHANNEL:Container:9E3FD72A-BFA1-07C3-7DEA-AB4B71CFFD70
Microsoft Base Cryptographic Provider v1.0
4294882429 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:KeySpec:0x00000001
4294882430 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Type: 0x00000001
4294882431 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Flags: 0x00000000
4294882511 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Couldn't Export
Key 8009000b
SCHANNEL:BEGIN:SPDeleteCredential
4294882513 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 463
4294882514 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 384
4294882515 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 131
AcquireCredentialsHandle failed, no SSL will be performed. Error = 0x8009030d
Here is the function that I wrote to import the .p12 cert+key to MY store.
Maybe I'm not setting something correctly? I can also send you my .p12 key
if you want.
/**
* Import the given PKCS12 buffer containing the device certificate and
* private key into the "MY" store. As a side effect, also return the
* SHA1 hash of the certificate.
* Return TRUE on success, FALSE on failure.
*/
BOOL
PhysCertManager::addP12CertToMyStore(BYTE *p12Buf, DWORD p12BufLength, const
WCHAR *passwordW, BYTE *sha1HashBuf)
{
HCERTSTORE hCertStore1, hCertStore2;
CRYPT_DATA_BLOB certBlob;
PCCERT_CONTEXT pCertContext=NULL;
BOOL rval=TRUE;
certBlob.pbData = p12Buf;
certBlob.cbData = p12BufLength;
if (PFXVerifyPassword(&certBlob, passwordW, 0)) {
printf("PhysCertManager: p12 password is good!\n");
}
else {
printf("PhysCertManager: password is bad!! Import will defaintely
fail!\n");
return FALSE;
}
// Is this just a temporary store?
hCertStore1 = PFXImportCertStore(&certBlob, passwordW, CRYPT_USER_KEYSET);
if (hCertStore1 == NULL) {
wprintf(_T("PhysCertManager: PFXImportCertStore failed,
lasterror=%d\n"), passwordW);
return FALSE;
}
printf("PhysCertManager: User cert with key imported to tmp store!\n");
// Get the certificate context
pCertContext = CertEnumCertificatesInStore(hCertStore1, pCertContext);
if (pCertContext == NULL) {
printf("PhysCertManager: Could not enum cert context, abort");
CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
return FALSE;
}
// Get the sha1 hash
DWORD sha1HashBufLength=SHA1_HASH_LENGTH;
if (!CertGetCertificateContextProperty(pCertContext, CERT_HASH_PROP_ID,
sha1HashBuf, &sha1HashBufLength)) {
printf("PhysCertManager: get sha1 hash failed, lasterror=%d\n",
GetLastError());
CertFreeCertificateContext(pCertContext);
CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
return FALSE;
}
CertDuplicateCertificateContext(pCertContext); // this just increments
reference count
// Now open "MY" system cert store
HCRYPTPROV hCryptProvider = NULL;
hCertStore2 = CertOpenSystemStore(hCryptProvider, _T("MY"));
if (hCertStore2 != NULL) {
if (CertAddCertificateContextToStore(hCertStore2, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING,
NULL) == TRUE) {
printf("PhysCertManager: device cert+key added to MY store");
}
else {
printf("PhysCertManager: ERROR: Could not add device cert+key to
MY store, lasterror=%d", GetLastError());
rval = FALSE;
}
if (!CertCloseStore(hCertStore2, CERT_CLOSE_STORE_CHECK_FLAG))
printf("PhysCertManager: ERROR: close of MY store failed,
lasterror=%d\n", GetLastError());
else
printf("PhysCertManager: MY store closed.\n");
}
else {
printf("PhysCertManager: ERROR: Could not open MY store,
lasterror=%d", GetLastError());
rval = FALSE;
}
// The close of the tmp store always return PENDING_CLOSE.
// I guess this is OK since the cert context still exists in MY store.
CertFreeCertificateContext(pCertContext);
if (!CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG)) {
DWORD lasterror = GetLastError();
if (lasterror == CRYPT_E_PENDING_CLOSE) {
printf("PhysCertManager: close of tmp store returned pending
close.");
}
else {
wprintf(_T("PhysCertManager: ERROR: close of tmp store failed,
lasterror=%d\n"), GetLastError());
rval = FALSE;
}
}
else {
wprintf(_T("PhysCertManager: tmp store closed.\n"));
}
return rval;
}
I think we are getting close!
Michael
Post by Michael
Michael
If you have debug version of httpd it is highly likely you have debug
versions of schannel.dll
In the CE console, try 'gi proc' followed by 'zo m schannel.dll 0xffff' to
turn on all debug zones for schannel.
Can you send the CertificateSubject value you are using?
Also how did you verify the successful import of the .p12(pfx) file.
Especially proper import of the private key and not just the certificate.
Did you use the 'certificates' control panel applet and check for the
'private key present' attribute?
--
Ganapathy Raman
Program Manager, Windows CE Security
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...